kawa/SharepointToolbox-Web
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
bcced08caf010d23be50e7817c1d64635ac312a0
SharepointToolbox-Web/Components/Pages/Profiles.razor
T
kawa bcced08caf Register Entra app via secretless device-code bootstrap 
AADSTS700016 came from the register flow sending the configured
Oidc:ClientId (still a placeholder) as the auth client. The desktop
reference app never needs config: it bootstraps with the first-party
"Microsoft Graph Command Line Tools" public client (14d82eec-...) via
MSAL interactive, which exists in every tenant.

Replicate that for the web app. A server can't do MSAL loopback and the
bootstrap client's redirect URIs don't include /connect/callback, so use
the OAuth 2.0 device authorization grant instead — the web-equivalent of
the desktop interactive flow:

- Add EntraDeviceCodeFlow: POST /devicecode then poll /token with the
  bootstrap client. No backing app, no client id/secret, no redirect URI.
- Profiles "Register in Entra" now shows the verification URL + user code
  and polls until the admin signs in, then calls AppRegistrationService
  to create the per-client app and adopts its appId.
- Remove the dead /connect/register-initiate endpoint and the
  IsRegistration branch from the callback (connect flow only now).

The client-tenant register/connect flows are now fully secretless. The
Oidc:* config is used only by the toolbox's own sign-in (unchanged).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-02 11:47:23 +02:00

318 lines
12 KiB
Plaintext
Raw Blame History

@page "/profiles"
@attribute [Microsoft.AspNetCore.Authorization.Authorize]
@inject IUserSessionService Session
@inject IUserContextAccessor UserContext
@inject SharepointToolbox.Web.Infrastructure.Persistence.ProfileRepository ProfileRepo
@inject ISessionCredentialStore CredStore
@inject NavigationManager Nav
@inject SharepointToolbox.Web.Services.OAuth.IEntraDeviceCodeFlow DeviceFlow
@inject SharepointToolbox.Web.Services.Auth.IAppRegistrationService AppRegService
@inject Microsoft.Extensions.Options.IOptions<SharepointToolbox.Web.Core.Config.ClientConnectOptions> ConnectOpts
@rendermode InteractiveServer
@using Microsoft.AspNetCore.WebUtilities
@using SharepointToolbox.Web.Core.Models
@using SharepointToolbox.Web.Services.Session
<h1 class="page-title">Client Profiles</h1>
<p class="page-subtitle">Manage SharePoint tenant connections. Credentials are entered per session — no secrets stored on disk.</p>
@if (UserContext.Role != UserRole.Admin)
{
@* Non-admins can only select a profile, not create/edit/delete *@
<div class="alert alert-info">Profile management is restricted to Admins. Select a profile below to work on a client.</div>
@foreach (var p in _profiles)
{
<div class="card" style="@(Session.CurrentProfile?.Id == p.Id ? "border-color:#0078d4;border-width:2px" : "")">
<div class="flex-row">
<div>
<div style="font-weight:600;font-size:15px">@p.Name</div>
<div class="text-muted">@p.TenantUrl</div>
</div>
<div class="spacer"></div>
@if (Session.CurrentProfile?.Id == p.Id)
{
<span class="chip chip-green">Active</span>
}
<button class="btn btn-secondary btn-sm" @onclick="() => SelectProfile(p)">
@(Session.CurrentProfile?.Id == p.Id ? "Selected" : "Select")
</button>
</div>
</div>
}
return;
}
@* Admin view — full CRUD *@
@if (!string.IsNullOrEmpty(_pageError))
{
<div class="alert alert-error" style="margin-bottom:12px">@_pageError</div>
}
<div class="flex-row" style="margin-bottom:16px">
<button class="btn btn-primary" @onclick="AddNew">+ New Profile</button>
</div>
@if (_profiles.Count == 0 && !_showForm)
{
<div class="alert alert-info">No profiles configured. Create one to get started.</div>
}
@foreach (var p in _profiles)
{
<div class="card" style="@(Session.CurrentProfile?.Id == p.Id ? "border-color:#0078d4;border-width:2px" : "")">
<div class="flex-row">
<div>
<div style="font-weight:600;font-size:15px">@p.Name</div>
<div class="text-muted">@p.TenantUrl</div>
<div class="text-muted">Tenant ID: @p.TenantId</div>
<div class="text-muted">Client ID: @p.ClientId</div>
</div>
<div class="spacer"></div>
@if (Session.CurrentProfile?.Id == p.Id)
{
<span class="chip chip-green">Active</span>
}
<button class="btn btn-secondary btn-sm" @onclick="() => SelectProfile(p)">
@(Session.CurrentProfile?.Id == p.Id ? "Selected" : "Select")
</button>
<button class="btn btn-secondary btn-sm" @onclick="() => EditProfile(p)">Edit</button>
<button class="btn btn-danger btn-sm" @onclick="() => DeleteProfile(p)">Delete</button>
</div>
</div>
}
@if (_showForm)
{
<div class="card" style="border-color:#0078d4">
<div class="card-title">@(_editing?.Id == null ? "New Profile" : "Edit Profile")</div>
@if (!string.IsNullOrEmpty(_formError))
{
<div class="alert alert-error">@_formError</div>
}
<div class="form-group">
<label class="form-label">Profile Name *</label>
<input class="form-input" @bind="_form.Name" placeholder="e.g. Contoso Production" />
</div>
<div class="form-group">
<label class="form-label">Tenant URL *</label>
<input class="form-input" @bind="_form.TenantUrl" placeholder="https://contoso.sharepoint.com" />
</div>
<div class="form-group">
<label class="form-label">Tenant ID (GUID or domain) *</label>
<input class="form-input" @bind="_form.TenantId" placeholder="contoso.onmicrosoft.com or GUID" />
</div>
@* App registration section *@
<div class="form-group">
<label class="form-label">Client ID (App Registration)</label>
<div class="flex-row" style="gap:8px;align-items:center">
<input class="form-input" @bind="_form.ClientId"
placeholder="Auto-filled after registration, or enter manually"
style="flex:1" />
<button class="btn btn-secondary" @onclick="RegisterAppAsync"
disabled="@(!CanRegister || _registering)"
title="@(CanRegister ? "Register app in client Entra ID (requires an admin who can create app registrations)" : "Fill Tenant URL, Tenant ID and Profile Name first")">
@(_registering ? "Waiting…" : "Register in Entra")
</button>
</div>
<small class="text-muted">
Click "Register in Entra" to auto-create the app registration in the client tenant.
You'll sign in with a client admin account — no secrets, no pre-existing app needed.
Or enter an existing public client App Registration ID manually.
</small>
@if (_deviceCode is not null)
{
<div class="alert alert-info" style="margin-top:10px">
<div style="margin-bottom:6px">Sign in to the <strong>client tenant</strong> to authorize app creation:</div>
<ol style="margin:0 0 8px 18px;padding:0;line-height:1.7">
<li>Open <a href="@_deviceCode.VerificationUri" target="_blank" rel="noopener">@_deviceCode.VerificationUri</a></li>
<li>Enter code:
<code style="font-size:16px;font-weight:700;letter-spacing:1px;background:#fff;padding:2px 8px;border-radius:4px;border:1px solid var(--border)">@_deviceCode.UserCode</code>
</li>
<li>Approve the requested permissions with an admin account.</li>
</ol>
<div class="flex-row" style="gap:8px">
<span class="text-muted">@_regStatus</span>
<button class="btn btn-secondary btn-sm" @onclick="CancelRegistration">Cancel</button>
</div>
</div>
}
else if (!string.IsNullOrEmpty(_regStatus))
{
<div class="text-muted" style="margin-top:8px">@_regStatus</div>
}
</div>
<div class="flex-row mt-8">
<button class="btn btn-primary" @onclick="SaveProfile">Save</button>
<button class="btn btn-secondary" @onclick="CancelForm">Cancel</button>
</div>
</div>
}
@code {
private List<TenantProfile> _profiles = new();
private bool _showForm;
private bool _registering;
private TenantProfile? _editing;
private TenantProfile _form = new();
private string _formError = string.Empty;
private string _pageError = string.Empty;
private SharepointToolbox.Web.Services.OAuth.DeviceCodeStart? _deviceCode;
private string _regStatus = string.Empty;
private CancellationTokenSource? _regCts;
// Graph delegated scopes the admin must consent to so we can create the app registration.
private const string RegistrationScope =
"https://graph.microsoft.com/Application.ReadWrite.All " +
"https://graph.microsoft.com/DelegatedPermissionGrant.ReadWrite.All " +
"https://graph.microsoft.com/Directory.Read.All " +
"openid offline_access";
private bool CanRegister =>
!string.IsNullOrWhiteSpace(_form.Name) &&
!string.IsNullOrWhiteSpace(_form.TenantUrl) &&
!string.IsNullOrWhiteSpace(_form.TenantId);
protected override async Task OnInitializedAsync()
{
_profiles = (await ProfileRepo.LoadAsync()).ToList();
}
protected override async Task OnAfterRenderAsync(bool firstRender)
{
if (!firstRender) return;
await HandleConnectErrorAsync();
}
private async Task HandleConnectErrorAsync()
{
var uri = new Uri(Nav.Uri);
var query = QueryHelpers.ParseQuery(uri.Query);
if (!query.TryGetValue("connect_error", out var err) || string.IsNullOrEmpty(err))
return;
_pageError = err!;
await InvokeAsync(StateHasChanged);
Nav.NavigateTo(uri.GetLeftPart(UriPartial.Path), replace: true);
}
private void AddNew()
{
_editing = null;
_form = new TenantProfile();
_showForm = true;
_formError = string.Empty;
_pageError = string.Empty;
}
private void EditProfile(TenantProfile p)
{
_editing = p;
_form = new TenantProfile { Id = p.Id, Name = p.Name, TenantUrl = p.TenantUrl, TenantId = p.TenantId, ClientId = p.ClientId };
_showForm = true;
_formError = _pageError = string.Empty;
}
private void CancelForm() { _showForm = false; _editing = null; }
private void SelectProfile(TenantProfile p)
{
Session.SetProfile(p);
StateHasChanged();
}
private async Task RegisterAppAsync()
{
if (!CanRegister || _registering) return;
_registering = true;
_formError = string.Empty;
_regStatus = "Requesting a sign-in code…";
_deviceCode = null;
_regCts = new CancellationTokenSource(TimeSpan.FromMinutes(15));
StateHasChanged();
try
{
// Secretless bootstrap: device code flow against the client tenant.
_deviceCode = await DeviceFlow.BeginAsync(_form.TenantId.Trim(), RegistrationScope, _regCts.Token);
_regStatus = "Waiting for sign-in to complete…";
StateHasChanged();
var adminToken = await DeviceFlow.PollForAccessTokenAsync(_form.TenantId.Trim(), _deviceCode, _regCts.Token);
_deviceCode = null;
_regStatus = "Creating the app registration…";
StateHasChanged();
var clientId = await AppRegService.CreateAsync(
adminAccessToken: adminToken,
tenantName: _form.Name,
redirectUri: ConnectOpts.Value.RedirectUri,
ct: _regCts.Token);
_form.ClientId = clientId;
_regStatus = "App registered. Review and Save the profile.";
}
catch (OperationCanceledException)
{
_regStatus = "Registration cancelled.";
}
catch (Exception ex)
{
_formError = $"Registration failed: {ex.Message}";
_regStatus = string.Empty;
}
finally
{
_deviceCode = null;
_registering = false;
_regCts?.Dispose();
_regCts = null;
StateHasChanged();
}
}
private void CancelRegistration()
{
_regCts?.Cancel();
_deviceCode = null;
_regStatus = "Registration cancelled.";
}
private async Task SaveProfile()
{
_formError = string.Empty;
if (string.IsNullOrWhiteSpace(_form.Name)) { _formError = "Name is required."; return; }
if (string.IsNullOrWhiteSpace(_form.TenantUrl)) { _formError = "Tenant URL is required."; return; }
if (string.IsNullOrWhiteSpace(_form.ClientId)) { _formError = "Client ID is required."; return; }
if (string.IsNullOrWhiteSpace(_form.TenantId)) { _formError = "Tenant ID is required."; return; }
if (_editing == null)
{
_form.Id = Guid.NewGuid().ToString();
_profiles.Add(_form);
}
else
{
var idx = _profiles.FindIndex(p => p.Id == _editing.Id);
if (idx >= 0) _profiles[idx] = _form;
}
await ProfileRepo.SaveAsync(_profiles);
_showForm = false; _editing = null;
}
private async Task DeleteProfile(TenantProfile p)
{
_profiles.RemoveAll(x => x.Id == p.Id);
await ProfileRepo.SaveAsync(_profiles);
if (Session.CurrentProfile?.Id == p.Id) await Session.ClearSessionAsync();
}
}
Reference in New Issue View Git Blame Copy Permalink